grayscale photography of people walking near buildings

Cybersecurity Leadership and Governance in the Public Sector

Using the PAC approach to guide public leadership in the development and execution of cybersecurity programs.

The leadership framework of purpose, alignment, and commitment (PAC) proposed by Rune Todnem By (2021) in Leadership: In Pursuit of Purpose provides a lens for examining how public leaders should create and execute cybersecurity programs and respond to data breaches affecting citizens. Here, public leaders include political, elected, professional administrative staff.

Leadership grounded on PAC is not a philosophical ideal. In the arena of privacy and data protections sustained alignment and commitment are practical imperatives for protecting citizen data, ensuring resilient digital institutions, and maintaining public trust in data governance.

Introduction

Recent leadership responses to cyber breaches and outages occurring in political subdivisions reveal a troubling pattern: fragmented decision-making, delayed communication, outright deniability, and a lack of accountability (yes, lacking accountability and hiding behind deniability are different). These failures often stem not from technological gaps, but from leadership voids.

The principled purpose, alignment, commitment (PAC) leadership framework offers a compelling model for addressing these challenges. Developed by Rune Todnem By, PAC emphasizes that effective leadership begins with a clearly defined purpose, alignment across systems and stakeholders, and is realized through unwavering commitment. In the context of cybersecurity governance, this means leaders must move beyond compliance checklists and legal formalities to embrace a proactive, value-driven approach that prioritizes the merger of public trust and institutional resilience.

Unfortunately, many public institutions default to legal professionals as de facto crisis leaders during cyber incidents. While lawyers play a critical role in managing liability and regulatory obligations, they are not equipped to lead the operational, strategic, and human-centered responses that cybersecurity demands.

Lawyers are great at setting up tactics for communication and estimating event costs. However, public institution and elected leaders are the clients, not the citizens. Here, the attorney-first strategy takes an offroad turn. Deniability and accountability dodging are the presented as priorities for leadership and their teams.  Citizens are communicated with as adversaries and their data, privacy, and identities are traded off for political recovery and litigation posturing.  

This misalignment often furthers other reactive, opaque, and risk-averse behaviors that erode public confidence and delay true recovery (true, opposed to whatever citizens are told through press releases).

In this article I explore how PAC leadership can transform cybersecurity governance in the public sector. I examine the pitfalls of current leadership practices, the limitations of legal-centric crisis management, and the urgent need for purpose-driven, aligned, and committed leadership. This is the beginning of an exploration to develop and provide a roadmap for building resilient public institutions that recognize the value of and honor the responsibility to sustain public trust.

Is There a Public Leadership Problem?

Municipal governments across the United States have become increasingly frequent targets of cyberattacks, with 2024 and 2025 witnessing a surge in ransomware incidents and data breaches. These events have not only disrupted essential services but also exposed critical weaknesses in local cybersecurity governance, leadership truthfulness, and preparedness.

I’ll touch on three close-to-home events to set some context.

In July 2024, the City of Columbus, Ohio, narrowly avoided a catastrophic ransomware attack when a foreign threat actor infiltrated its IT infrastructure. While the city’s Department of Technology acted swiftly to sever internet connectivity and limit exposure, the breach revealed a troubling delay in leadership coordination. Despite early signs of compromise, the city executive leadership took nearly three weeks to respond to state-level offers of cybersecurity assistance. This delay, attributed to fragmented decision-making and a lack of predefined escalation protocols, underscores the need for clearer leadership roles and faster alignment in crisis response.

Two big issues occurred that were never properly resolved. One, many public safety documents (police documents and images) were exfiled (exfil: data exfiltration) and exposed on the dark web. There is proof.

Documents with past and, to lesser degree, present employment information were exfiled and exposed to the dark web. The legal recourse for those who citizens that brought suit (many city workers, like police officers were plaintiffs) was stifled by the immunity defense.

The other issue was the arresting of a cybersecurity researcher for his sharing of the truth to the local news. This deserves a dedicated write-up; within the scope of this article, it is important to note the extreme detour leadership can take without proper preparation and guidance.

Cleveland, Ohio, experienced a ransomware attack in the same summer which compromised resident data and disrupted municipal operations. Unlike Columbus, Cleveland leadership promptly engaged the Ohio Cyber Reserve, demonstrating the value of proactive leadership and interagency collaboration. The contrasting responses between these two cities highlight how leadership commitment and alignment with external cybersecurity resources can significantly influence the trajectory of an incident.

In Huber Heights, a suburb of Dayton, a November 2024 cyberattack compromised the personal information of nearly 6,000 residents. The city did not request assistance from state cybersecurity teams, opting instead to manage the incident internally. This decision, while within the bounds of local governance autonomy, raised concerns about the adequacy of internal capabilities and the risks of siloed responses in the face of sophisticated threats.

These cases reveal a common pattern: while technical vulnerabilities may serve as entry points, it is often leadership inertia, misalignment, or overreliance on legal or technical silos that exacerbate the damage. The PAC framework offers a corrective approach. Municipal leaders must define cybersecurity as a public trust priority, align internal and external response mechanisms, and demonstrate sustained commitment to resilience beyond the immediate crisis.

Purpose: Establishing Vision and Public Trust
Public sector cybersecurity requires leaders to define a purpose that transcends compliance. The purpose should be anchored in the protection of citizens’ data as a public good. This vision must integrate ethical stewardship, transparency, and societal benefit into every element of the cybersecurity strategy. Drawing from the ISO 31000 principle of integration, risk management must be embedded within governance structures and decision-making processes. When public leaders articulate a clear purpose, like protecting citizen information as a principle of democratic legitimacy, it easily aligns technology, legislation, and operational resilience under a shared mission.

‘Easily’ is a word I use intentionally. It is very difficult and expensive to back policies that allow leaders to absolve themselves when they allow the identities and assets of voters and taxpayers to be breached or stolen.

A purpose that only intends to transfer all harms caused or allowed by public leadership is not aligned with the citizenry’s expectations or wellbeing.

Alignment: Integrating Governance and Response
Alignment is where purpose becomes inclusive and operational. Leaders must ensure that cybersecurity programs are synchronized across legal, administrative, technical systems, and citizen expectations.

Data and identity protection are not legal trade-offs for absolution, and immunity defenses are misaligned with voter expectations that they are voting for professionals. The principle of alignment enables leaders to connect citizens’ expectations with the operational and legislative systems designed to protect that trust.

The NIST Cybersecurity Framework provides a structured foundation for municipal cybersecurity programs through its core functions: Identify, Protect, Detect, Respond, and Recover. Within a Purpose, Alignment, and Commitment (PAC) perspective, alignment means translating these functions into a coherent ecosystem where data protection mandates, breach response protocols, and operational practices reinforce one another.

When municipal leaders align legislative intent and technical execution with citizen stakeholder expectations, they not only create a system that is predictable, accountable, and adaptive to evolving threats but one of cohesion and trust.

This adds to the structured and continuous improvement principles of ISO 31000. Misalignment, however, manifests as inconsistent communication, delayed response, and public distrust. True alignment ensures that every department, from IT, legal to emergency management, and public relations, operates from a shared understanding of how to safeguard citizen data and sustain essential services during and after cyber events.

Commitment: Leading with Accountability and Continuity
Commitment transforms strategy into sustained practice. Public leaders must demonstrate visible accountability for cybersecurity outcomes, not just delegate responsibility to technical units. This commitment extends to ensuring adequate funding, continuous workforce training, and transparent communication during and after incidents. In the NIST framework’s “Respond” and “Recover” phases, commitment is expressed through timely notifications, cross-agency coordination, and restoring citizen confidence by updating policies and learning from each event. It also requires recognizing human and cultural factors in decision-making, a principle central to ISO 31000, ensuring that leadership empathy and communication are as important as technology and policy.

Conclusion
In the context of public privacy and data security, By’s leadership constellation of purpose, alignment, and commitment forms the essential framework for trustworthy governance and public administration. When leaders view cybersecurity not as a burden or mere compliance task, but as a shared public responsibility rooted in common purpose, they enable coherent strategies, swift and responsible responses to breaches, and build resilient digital institutions.

The future of public trust in digital governance depends on this integration of moral clarity and operational excellence, where leadership purpose aligns every system, and commitment sustains every recovery.